quota and ampd

quota and ampd

[Ryan Bergauer]

[-- Attachment #1: Type: text/plain, Size: 891 bytes --]

I just installed the new release of SELinux, and I get about 7 messages
at boot-time requesting different permissions for quotaon, per the
following:
 
avc:   denied   { read } for  pid=141 exe=/sbin/quotaon
path=/usr/lib/locale/en_US.iso885915/LC_IDENTIFICATION dev=03:02
ino=1289283 scontext=system_u:system_r:quota_t
tcontext=system_u:object_r:writeable_t tclass=file
 
That wasn't there before the new release, and my kernel configuration
should've been the same. Anyone else getting this?
 
In addition, I'm getting quite a few denied messages at boot and
shutdown regarding killall5 when I enable Advanced Power Management Bios
in the kernel (with apmd_t wanting read-type permissions for items in
init_t and kernel_t.) This sound familiar to anyone else? Please note
that this was occurring before the new release, I just never got around
to confronting it until now.
 
Thanks!
-Ryan

[-- Attachment #2: Type: text/html, Size: 5431 bytes --]

RE: quota and ampd

[Ed Street]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

Hello,
 
Quota is one of the packages I was working on over the weekend.  I did
get some messages as well but I had more probs w/ version 2 of quota and
have not finished playing with it yet.
 
You can run newrule -d -v to get the syntax that's needed.
 
Ed
 
-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Ryan Bergauer
Sent: Monday, July 08, 2002 5:58 PM
To: selinux@tycho.nsa.gov
Subject: quota and ampd
 
I just installed the new release of SELinux, and I get about 7 messages
at boot-time requesting different permissions for quotaon, per the
following:
 
avc:   denied   { read } for  pid=141 exe=/sbin/quotaon
path=/usr/lib/locale/en_US.iso885915/LC_IDENTIFICATION dev=03:02
ino=1289283 scontext=system_u:system_r:quota_t
tcontext=system_u:object_r:writeable_t tclass=file
 
That wasn't there before the new release, and my kernel configuration
should've been the same. Anyone else getting this?
 
In addition, I'm getting quite a few denied messages at boot and
shutdown regarding killall5 when I enable Advanced Power Management Bios
in the kernel (with apmd_t wanting read-type permissions for items in
init_t and kernel_t.) This sound familiar to anyone else? Please note
that this was occurring before the new release, I just never got around
to confronting it until now.
 
Thanks!
-Ryan

[-- Attachment #2: Type: text/html, Size: 8909 bytes --]

Re: quota and ampd

[Stephen Smalley]

On Mon, 8 Jul 2002, Ryan Bergauer wrote:

> I just installed the new release of SELinux, and I get about 7 messages
> at boot-time requesting different permissions for quotaon, per the
> following:
>
> avc:   denied   { read } for  pid=141 exe=/sbin/quotaon
> path=/usr/lib/locale/en_US.iso885915/LC_IDENTIFICATION dev=03:02
> ino=1289283 scontext=system_u:system_r:quota_t
> tcontext=system_u:object_r:writeable_t tclass=file
>
> That wasn't there before the new release, and my kernel configuration
> should've been the same. Anyone else getting this?

The quota_t domain is new to this upstream release.  It was contributed by
Russell Coker.  Hence, it isn't surprising that you may see some denials
on RH systems, since Russell is using Debian.  Feel free to grant quota_t
read access to writeable_t (and even write access, if required).

> In addition, I'm getting quite a few denied messages at boot and
> shutdown regarding killall5 when I enable Advanced Power Management Bios
> in the kernel (with apmd_t wanting read-type permissions for items in
> init_t and kernel_t.) This sound familiar to anyone else? Please note
> that this was occurring before the new release, I just never got around
> to confronting it until now.

What are the specific audit messages (or at least some examples)?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: quota and ampd (and one more thing)

[Ryan Bergauer]

Stephen Smalley wrote:

>> In addition, I'm getting quite a few denied messages at boot and
>> shutdown regarding killall5 when I enable Advanced Power Management
Bios
>> in the kernel (with apmd_t wanting read-type permissions for items in
>> init_t and kernel_t.) This sound familiar to anyone else? Please note
>> that this was occurring before the new release, I just never got
around
>> to confronting it until now.
>
> What are the specific audit messages (or at least some examples)?

Here are four of the ones appearing at boot. They're pretty
representative of the rest.

avc:  denied  { getattr } for  pid=712 exe=/sbin/killall5 path=/1/stat
dev=00:03 ino=65547 scontext=system_u:system_r:apmd_t
tcontext=system_u:system_r:init_t tclass=file

avc:  denied  { read } for  pid=712 exe=/sbin/killall5 path=/1/exe
dev=00:03 ino=65543 scontext=system_u:system_r:apmd_t
tcontext=system_u:system_r:init_t tclass=lnk_file

avc:  denied  { search } for  pid=712 exe=/sbin/killall5 path=/4
dev=00:03 ino=262146 scontext=system_u:system_r:apmd_t
tcontext=system_u:system_r:kernel_t tclass=dir

avc:  denied  { read } for  pid=712 exe=/sbin/killall5 path=/4/stat
dev=00:03 ino=262155 scontext=system_u:system_r:apmd_t
tcontext=system_u:system_r:kernel_t tclass=file


Also, I tried running run_init this morning and received the message
(after authentication):

execvp_secure: No such file or directory

Has anyone encountered this?

-Ryan 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: quota and ampd (and one more thing)

[Stephen Smalley]

On Tue, 9 Jul 2002, Ryan Bergauer wrote:

> Here are four of the ones appearing at boot. They're pretty
> representative of the rest.
>
> avc:  denied  { getattr } for  pid=712 exe=/sbin/killall5 path=/1/stat
> dev=00:03 ino=65547 scontext=system_u:system_r:apmd_t
> tcontext=system_u:system_r:init_t tclass=file

I see.  If apmd needs to be able to kill all processes, you'll need to add
permissions to permit it to access all /proc/PID directories and to send
signals to all processes, e.g.:
	allow apmd_t domain:{ file lnk_file } r_file_perms;
	allow apmd_t domain:dir r_dir_perms;
	allow apmd_t domain:process signal_perms;

> Also, I tried running run_init this morning and received the message
> (after authentication):
>
> execvp_secure: No such file or directory
>
> Has anyone encountered this?

This indicates that you specified a non-existing path as the script name
for run_init.  Or at least that run_init was unable to find it.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: quota and ampd

[Russell Coker]

On Mon, 8 Jul 2002 17:57, Ryan Bergauer wrote:
> I just installed the new release of SELinux, and I get about 7 messages
> at boot-time requesting different permissions for quotaon, per the
> following:

I should have some new additions for the quota.te file soon which may address 
these issues.

> In addition, I'm getting quite a few denied messages at boot and
> shutdown regarding killall5 when I enable Advanced Power Management Bios
> in the kernel (with apmd_t wanting read-type permissions for items in
> init_t and kernel_t.) This sound familiar to anyone else? Please note
> that this was occurring before the new release, I just never got around
> to confronting it until now.

I'll check that out, I don't often check shutdown errors...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.